Pentagon Issues New Rules for Non-DOD IT Systems: This Is IT

By Robert Levinson

The Defense Department’s broad effort to tighten up cybersecurity is expanding its purview to ensure that non defense systems meet new standards. Contractors who fail to meet these standards may soon find themselves unable to compete for DOD work.

DOD Chief Information Officer Dana Deasy has approved new measures to protect unclassified nonpublic DOD information from cyberattackers. The new instructions, which were released on Dec. 9, incorporate rules for contractors using external cloud providers and Federal Risk and Authorization Management Program (FedRAMP) standards that were not included in the previous version of this rule. Contractors and other entities that possess this type of information will need to implement the measures immediately.

However, the rule does not apply to DOD IT systems being operated by contractors, non-DOD IT systems providing IT services to DOD and unclassified information that has been cleared for public release. Other rules cover these systems.

Cybersecurity and supply chain security standards are increasingly being built into contract requirements. The new DOD instruction 8582.01, entitled “Security of Non-DOD Information Systems Processing Unclassified Nonpublic DOD Information,” which supersedes a previous instruction issued in June 2012, directs these requirements to be written into all types of legal agreements with DOD.

The need for stronger security is clear. As recently as 2018 sensitive DOD information on submarine warfare was stolen from a Navy contractor’s unclassified information system. “Many contractors are not following best practices for network encryption and email security: nearly 50% of contractors have a BitSight grade below C for the Protective Technology subcategory of the NIST Cybersecurity Framework,” according to a cybersecurity report performed by BITSIGHT in 2018.

The non-DOD systems covered by the rule must be protected in accordance with the National Institute of Standards and Technology (NIST) publication 800-171. If the non-DOD entity is using an external cloud service, then they must ensure that the cloud provider meets the FedRAMP moderate baseline.

Some of the NIST requirements include:

  • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  • Sanitize or destroy information system media containing nonpublic DOD information before disposal or release for reuse.
  • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  • Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

The instruction also requires reporting to this website when unclassified nonpublic information is compromised, within 72 hours of discovery. To report these incidents, contractors and others must have a certificate, which can be found here. The non-DOD entity must all preserve records of the incident and allow DOD access for forensic examination and damage assessment.

In the future, based on the sensitivity of the information, DOD components will include requirements in contract solicitations for the bidders to describe how they have implemented the NIST standards and demonstrate compliance prior to contract award. Contracts may also include provisions for companies to notify the DOD of any deficiencies that emerge and the remediation efforts undertaken.

To contact the analyst: Robert Levinson in Washington, D.C. at rlevinson@bgov.com

To contact the editor responsible: Daniel Snyder at dsnyder@bgov.com

Top